How to use Graphiql when /graphql protected by JWT token (authorization header) #59
Comments
|
Download @skevy's https://github.com/skevy/graphiql-app and your header. I have the same setup as you and use this daily. |
|
@KyleAMathews awesome, I will give it a shot (my main computer is linux distro though...). thanks |
|
@sulliwane - I'm sure it would compile on Linux - just haven't tried. |
|
I just tried I close this issue as I have the answer now. |
|
Any reason to close this issue and opposed to adding the header editor to the (main) graphiql? |
|
No reason, indeed it would be nice if we could set the header directly into graphiql app. (I'm using graphiql-app right now.) |
|
GraphiQL is generic and doesn't know anything about the network! This is great because you can configure it to use whatever your GraphQL server uses. This is how @skevy was able to build a standalone app version of GraphiQL. I suggest taking a look at the example - where you see Often, when your GraphQL endpoint is behind a authorization feature like this, it is common to expose the GraphiQL tool via a different endpoint on your server. |
|
@leebyron I would agree being generic is a reason not to automate everything. I would think, though, that being generic is exactly why it DOES makes sense to have a field allowing custom headers to be set manually by the user! I'm also unclear as to your last statement. It doesn't avoid the need for auth tokens to be pushed around. |
|
@MarkAndrewJohnson @sulliwane @cancan101 @KyleAMathews Guys, it would be interesting to get your opinion on this graphql/express-graphql#101 |
|
I found a way to fix this problem. On Chrome, you can install an extention |
|
Look at auth-graphiql (https://github.com/vitalcode/auth-graphiql) that wraps GraphiQL providing support for bearer token and arbitrary URL. Great for testing GraphQL services secured with OAuth 2.0. |
|
For those still having this issue, my coworker came up with a cheap solution (in Express in my case). Have your GraphiQL answer at another endpoint as Lee said above and apply |
|
Actually, I use a simple solution between our GraphQL development process. If you GraphQL server parse a We can pass I parse a token with something like |
|
FWIW... In dev mode only, I've set up my server to save the most recent valid token used for the graphql endpoint, and slap it on any subsequent graphiql-driven queries (where the referer header is graphiql). I just sign into the app and then can use graphiql at will. |
|
Easy implementation to get JWT Token support in GraphiQL https://gist.github.com/sasso/3c3d728e0049d5b66a2c19b349b7f164
|
|
@Sasso Thanks, but your old version does not support websockets :-( |
|
Hope this helps. How I implimented custom headers for my GraphiQL interface with a express-graphql server. Modify your server to handle post requests from one endpoint and get requests to the graphiql interface on another. Basically you need to create a new index.html for your GraphiQL interface and add it to your servers public directory i.e. I use webpack and the html-webpack-plugin to bundle the index.html. This allows it to get the correct version of graphql used in my project from the CDN. Below is an example of my webpack config and my ejs template of the index.html. webpack.config.js graphiql.ejs |
|
Thanks for sharing @emjaksa. |
|
@emjaksa Your code is working fine with query operations, what about subscriptions?... |
|
@connorshea excellent point, yes. possibly we can add custom headers to the graphiql cdn exmaple? |
|
The |
|
I'm deep into 2.0.0 plugin API now, but possibly @connorshea can add that for another 1.0.0 release? I should have caught that in the review, my bad. |
|
to confirm, @jonaskello it was not added. i will pivot to fix this issue! |
|
released #1593 as |
|
👍 @acao I think we can close this now :) |
|
@acao I can confirm it works! Thanks :-) |
|
thanks everyone! for the record, and you can see this in the GraphiQL readme now, you can enable the headers editor with thanks @connorshea for your work and @harshithpabbati and @ncthbrt for helping to review! any new features for this will be part of consider this a bonus for the very long feature freeze as we had to spend so long preparing GraphiQL for the rewrite, performing the rewrite, and are now working on the plugin spec. the new SDK-oriented approach will be very rewarding! |
|
to add, if there are any more bugs with this new feature, we will gladly introduce them to 1.0.x patches :) |
@acao |
@acao you may want to edit this to save people time trying to figure out why it doesn't work - it's (edit - shameless plug - I just made this, feedback welcomed https://github.com/penx/graphiql-middleware ) |
|
@penx thanks for the catch, will update! your middleware looks great but it exposes a huge template injection attack surface - exposing xss and other potential attack vectors! i had to issue a CVE for graphql playground and issue a security fix for the same exact reasons. playground repo now has an example with a readme that explains all of this we will be rolling our own middeware packages soon when i have time to get to it. there is still an open PR that needs cleanup if you want to create a new PR based off that to help advance that! We actually use ReactDOM/server in that PR there, but an xss filtered template tag implementation ala the new playground fix would be welcome as well. you can introduce several new typescript packages if you want, or just a basic underling renderer method like playground-html |
This worked great, except the graphiql screen falls off the bottom of the page. Here's a version using flexbox that aligns it properly: https://gist.github.com/craigmit/44499818664fc34083f2aa96069f0636 |
|
You could also use the headers editor:
|
|
Thanks @benjie I didn't see that I modified the new GraphiQL html, to automatically set the auth header from a # param (so you can call it directly from your application, automatically setting the Authorization header): https://gist.github.com/craigmit/0cce78ffe33ca3551fbcc35016e8b3e2 Usage is: and it will set the Authorization header for you. The only change to the original graphiql html was the addition of: const tokenParam = window.location.hash.substr(1);
if (tokenParam) {
headers = {"Authorization": "Bearer " + tokenParam}
window.history.replaceState({}, document.title, window.location.href.split('#')[0]);
} |
|
The request headers box works a treat! const editor = (<GraphiQL headerEditorEnabled={true} fetcher={graphQLFetcher} />);
ReactDOM.render(editor, document.getElementById('graphiql-app'));However, you must pass the headers through in your fetcher. For example: const graphQLFetcher = async (graphQLParams, opts) => {
const { headers = {} } = opts;
const response = await fetch('/graphql', {
method: 'post',
headers: {
'Accept': 'application/json',
'Content-Type': 'application/json',
...headers,
},
body: JSON.stringify(graphQLParams),
});
return response.json();
}; |
|
|
|
@m-thirumal hello, i try to configure api platform with jwt and graphql but I can’t do it… all the time I have 403 when I use security granted… can you explain how have you configure security.yaml (and other file maybe) to make work pls 😕 ? |
|
|
I have been digging through this thread trying to find a way to pass a header, the authorization header, to Graphiql in the request. I am running Graphiql in an iFrame from Is this possible? |
Not a solution but a work-around. You can run a local proxy that puts the GraphiQL UI and the GraphQL endpoint on the same port then the headers are shared automatically. |
|
You can inject the following code snippet to make GraphiQL IDE work with Firebase Auth (ID token): <script type="module">
import { initializeApp } from "https://www.gstatic.com/firebasejs/9.22.0/firebase-app.js";
import { getAuth } from "https://www.gstatic.com/firebasejs/9.22.0/firebase-auth.js";
const app = initializeApp({
projectId: "example",
appId: "xxxxx",
apiKey: "xxxxx",
authDomain: "example.com"
});
function setAuthHeader(token) {
const editor = document.querySelectorAll('.variable-editor .CodeMirror')[1].CodeMirror;
const headers = JSON.parse(editor.getValue());
headers.Authorization = token ? "Bearer " + token : undefined;
editor.setValue(JSON.stringify(headers, null, 2));
}
getAuth(app).onAuthStateChanged((user) => {
if (user) {
user.getIdToken().then(token => setAuthHeader(token));
} else {
setAuthHeader(null);
}
});
</script>https://www.codementor.io/@koistya/graphiql-with-firebase-auth-251hx5qhz3
|
and others
My /graphql route is protected by JWT token, so every HTTP request needs to set:
To get through the authentication middleware and hit /graphql.
How to manage this authentication step when using graphiql ? graphiql is so convenient, it's a pity to not use it :(
thanks for any suggestion!
The text was updated successfully, but these errors were encountered: